Iam试图为我的log4js日志创建grok logstash过滤器。Grok过滤器log4js
在我的NodeJS应用程序的代码如下:
var httpLogFormat = ':remote-addr - - [:date] ":method :url ' + 'HTTP/:http-version" :status :res[content-length] ' + '":referrer" ":user-agent" :response-time';
log4js.loadAppender('file');
log4js.addAppender(log4js.appenders.file('logs/access.log'), 'access');
var logger = log4js.getLogger('access');
app.use(log4js.connectLogger(logger, { level: 'auto', format: httpLogFormat }));
这将导致以下日志消息:
[2017-01-31 08:54:32.491] [WARN] access - 192.1.1.10 - - [Tue, 31 Jan 2017 07:54:32 GMT] "GET /api/test HTTP/1.0" 304 undefined "https://localhost.com/test" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36" 111
我现在的神交过滤器看起来像这样(修订版):
grok {
match => { "message" => "\[%{HTTPDATE:timestamp}\] \[%{WORD:loglevel}\] %{WORD:logtype} - %{IPORHOST:clientip} %{USER:ident} %{USER:auth} \"%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})\" %{NUMBER:response} - \"%{DATA:rawrequest}\" \"%{QS:agent}\""}
}
有一些解析错误,我怀疑这是由于[]但我不确定。
http://grokconstructor.appspot.com/失败:
不匹配。匹配该行开头的最长正则表达式前缀如下: 前缀“ 匹配前:[2017-01-31 08:54:32.491] [WARN] access - 192.1.1.10 - - [Tue,31 Jan 2017 07 :54:32 GMT] GET/api/test HTTP/1.0“304 undefined”https://test.localhost.com/test“”Mozilla/5.0(Windows NT 6.1; WOW64)AppleWebKit/537.36(KHTML,像Gecko)Chrome/55.0.2883.75 Safari /537.36“111
嗨Rumbles,我的错误,我复制了两次示例消息。已经更新了我上面的grok过滤器。 – Tony
感谢Rumbles,作品像一个魅力! – Tony